M365 Security Groups not working to control access to SharePoint Sites in multiple tenants.

Copper Contributor

I’m pulling my hair out and need someone to point out that I’ve missed something really simple.

The Scenario/Problem

In 4 different tenants, I’ve created a Communication SharePoint site and assigned an M365 Security Group as both the Site Admins and the Site Owners; which should be redundant, but it gives clarity to the members and visitors of who has access as they do not see the Site Admins. I’ve also added one user into the Site Owners to view the permissions and site settings.

After waiting for a reasonable period of time to allow for propagation, users added to the Security Group are denied access to the sites even though a check of the M365 Security Group’s permissions come back as “Full via the SharePoint Owners Group”.

If I add the users in question individually, they can access.

What I’ve Checked

- letting a longer propagation period to elapse
- double-checking the users added to the security group
- removing and re-adding the users to the security group
- double-checking the security group added to the site and any of its SharePoint groups
- removing and re-adding the security group to the site and any of its SharePoint groups
- clearing browsers cache’s
- incognito or private mode in browsers
- trying different browsers
- the Internet for answers (including ChatGPT and Bing AI) for hours, and hours…
- sacrificing a goat (its a stuffed Goat, does it still count?)

What I need from this group

A strong drink and a time machine. But really, I need someone, anyone, to tell me I’m not losing my mind in using security groups for managing site access at the Owner, Member and Visitor level. Everything I’m reading says it should (and either I’m hallucinating or I’ve done this before… just not recently) and yet 2 client and 2 dev tenants are proving that wrong. Has something changed recently? Am I missing something really simple? Am I alone in this problem?

Any help or direction would be greatly appreciated as I’m at my wit’s end.

pulling-my-hair.png

 

8 Replies

@TREVOR_STYLER I noticed this just today too. It was working fine until recently. I use security groups to grant access to Power BI reports, Power Apps, and SharePoint sites - all working fine except for SharePoint. Really hoping this issue is solvable and temporary.

I've started to notice it failing in things like Audience targeting for SharePoint navigation
Has anyone found any solutions for this? Azure security group and SharePoint access?
I have a ticket open with Microsoft (still) but the issue seems to have resolved itself on new groups. Still have an issue with an older SG that still doesn't work.

I'll report any findings
Having similar problems. Working with an org that has two different entities on the same tenant. I created a couple of security groups to separate the two sets of staff out. Adding one of the groups with Edit permissions to a SharePoint site and members of that Security Group still get the 'Request Access' page.
So it took some time to resolve with Microsoft (not a top priority ticket with them to be fair) and the issue has a simple resolution. Even though you have users as owners in the security group, they MUST ALSO BE MEMBERS of the same group in order to have access to whichever resource and membership level you're assigning them to. This seems counter-intuitive and problematic if you want the security group owners to be owners of said resource and the members to be at a different membership level. I'm not sure I fully understand or agree with this solution, but it works. It just means I have to consider how users are provisioned access in this manner.

Curious to hear your thoughts on this.
Dang that stinks. Completely defeats the purpose of security groups
Yeah, It's always been like that. Same goes for if you restrict Group creating, then everyone needs to be a member even if they are a owner.